Threat Research

Protecting Against Malicious Use of Remote Monitoring and Management Software | CISA

Securonix

Two agencies warn defenders about the malicious use of legitimate remote monitoring and management (RMM) software, showing how attackers abused tools like ScreenConnect (ConnectWise Control) and AnyDesk via phishing to steal funds and gain backdoor access. The advisory also highlights that portable, non-installable executables can bypass controls and establish persistence or C2, prompting recommended mitigations for defenders. #ScreenConnect #AnyDesk #SilentPush #Norton #GeekSquad

Keypoints

  • Joint Cybersecurity Advisory (CISA, NSA, MS-ISAC) warns about malicious use of legitimate remote monitoring and management (RMM) software.
  • Attackers used phishing emails to prompt victims to download portable RMM clients (ScreenConnect/ConnectWise Control and AnyDesk).
  • First-stage domains impersonated trusted brands and used redirects to download RMM software, enabling covert access.
  • RMM tools were used as backdoors for persistence and potential command-and-control (C2) access, often without requiring admin rights.
  • Threat actors could exploit MSPs and IT help desks, leveraging trust relationships to reach many customers.
  • Defenders are urged to apply mitigations such as phishing blocks, RMM audits, log review, allowlisting, and network controls over RMM ports.
  • IOCs include multiple malicious domains observed in 2022 (e.g., win03.xyz, myhelpcare.online, 247secure.us).

MITRE Techniques

  • [T1566.001] Spearphishing Link – The actors used phishing emails that led to the download of legitimate RMM software, including help desk-themed emails and links to first-stage domains. ‘The emails either contain a link to a “first-stage” malicious domain …’
  • [T1204.002] User Execution – Malicious Link – The recipient visiting the first-stage malicious domain triggers the download of an executable. ‘The recipient visiting the first-stage malicious domain triggers the download of an executable.’
  • [T1105] Ingress Tool Transfer – The executable connects to a second-stage domain to download additional RMM software. ‘it downloads additional RMM software’ from the second-stage domain.
  • [T1021] Remote Services – The actors used the RMM software to connect to and interact with the victim’s system. ‘The actors then used their access through the RMM software to modify the recipient’s bank account summary.’
  • [T1562.001] Impair Defenses – RMM use can bypass defenses; defenders are advised to detect RMM running as memory-loaded software. ‘Use security software to detect instances of RMM software only being loaded in memory.’
  • [T1199] Trusted Relationship – Threat actors target legitimate users of RMM tools, leveraging MSPs and IT help desks to move laterally or expand access. ‘Threat actors often target legitimate users of RMM software. Targets can include managed service providers (MSPs) and IT help desks…’

Indicators of Compromise

  • [Domain] – win03.xyz – Suspected first-stage malware domain and observed: June 1, 2022; July 19, 2022
  • [Domain] – myhelpcare.online – Suspected first-stage malware domain and observed: June 14, 2022
  • [Domain] – win01.xyz – Suspected first-stage malware domain and observed: August 3, 2022; August 18, 2022
  • [Domain] – myhelpcare.cc – Suspected first-stage malware domain and observed: September 14, 2022
  • [Domain] – 247secure.us – Second-stage malicious domain and observed: October 19, 2022; November 10, 2022

Read more: https://www.cisa.gov/uscert/ncas/alerts/aa23-025a